Add initial mbedTLS v4 support#3532
Add initial mbedTLS v4 support#3532Easton97-Jens wants to merge 4 commits intoowasp-modsecurity:v3/masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds initial build/runtime compatibility with Mbed TLS 4.x’s TF-PSA-Crypto layout by updating bundled Mbed TLS paths/sources and migrating MD5/SHA1 hashing to the generic mbedtls_md API.
Changes:
- Switch MD5/SHA1 helpers from deprecated per-hash headers/functions to
mbedtls_md(mbedtls/md.h+mbedtls_md()). - Update autotools build files to include TF-PSA-Crypto include paths and compile the new TF-PSA-Crypto source locations.
- Update Win32 CMake build to compile the TF-PSA-Crypto source set and adjust include directories accordingly.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/sha1.h | Migrates digest implementation to generic mbedtls_md API. |
| src/utils/md5.h | Updates MD5 wrapper to use the updated DigestImpl template. |
| src/Makefile.am | Adds TF-PSA-Crypto include paths for libmodsecurity compilation. |
| others/Makefile.am | Repoints bundled Mbed TLS subset headers/sources to TF-PSA-Crypto layout. |
| Makefile.am | Extends cppcheck include paths for TF-PSA-Crypto headers. |
| configure.ac | Updates configure-time check to detect TF-PSA-Crypto base64 source path. |
| build/win32/CMakeLists.txt | Rebuilds bundled crypto subset from TF-PSA-Crypto sources and updates include dirs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @Easton97-Jens, there are two SonarCloud reports in |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Migrate to TF-PSA-Crypto layout - Fix include and linkage issues - Harden runtime checks - Improve error and exception handling - Refactor digest helper and buffer usage
Easton97-Jens
force-pushed
the
v3/master-mbedtl-v4
branch
from
7c0e6e9 to
c43e0c8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static std::array<unsigned char, DigestSize> calculateDigest( | ||
| std::string_view input) { | ||
| std::array<unsigned char, DigestSize> digestBytes = {}; | ||
|
|
||
| const mbedtls_md_info_t *mdInfo = mbedtls_md_info_from_type(DigestType); | ||
| if (mdInfo == nullptr) { | ||
| throw DigestCalculationException( | ||
| "mbedtls_md_info_from_type() returned nullptr"); | ||
| } | ||
|
|
||
| const auto *inputBytes = | ||
| static_cast<const unsigned char *>(static_cast<const void *>(input.data())); | ||
|
|
||
| if (const int ret = mbedtls_md( | ||
| mdInfo, | ||
| inputBytes, | ||
| input.size(), | ||
| digestBytes.data()); ret != 0) { | ||
| throw DigestCalculationException("mbedtls_md() failed"); | ||
| } |
| const std::string digestString(digestBytes.begin(), digestBytes.end()); | ||
| return utils::string::string_to_hex(digestString); |
| class DigestCalculationException : public std::exception { | ||
| public: | ||
| explicit DigestCalculationException(const char *message) noexcept | ||
| : m_message(message) { } | ||
|
|
||
| using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []); | ||
| const char *what() const noexcept override { | ||
| return m_message; | ||
| } | ||
|
|
||
| private: | ||
| const char *m_message; | ||
| }; |
|
what
md5.h,sha1.h) with genericmbedtls_mdAPIconfigure.acto work with Mbed TLS 4.x layoutwhy
library/base64.cwhich no longer exist in 4.x./configureand compilationreferences
library/base64.cwhen using Mbed TLS 4.x — Is support planned? #3450